]> git.sesse.net Git - ffmpeg/commit
projects / ffmpeg / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 9d38f06) | patch
nutdec: reject negative value_len in read_sm_data
authorAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Sat, 19 Dec 2015 11:02:56 +0000 (12:02 +0100)
committerAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Sat, 19 Dec 2015 16:57:56 +0000 (17:57 +0100)
commitce10f572c12b0d172c72d31d8c979afce602bf0c
treeacca74794a52a9fae2082d306668145e23993efctree | snapshot
parent9d38f06d05efbb9d6196c27668eb943e934943aecommit | diff
nutdec: reject negative value_len in read_sm_data

If it is negative, it can cause the byte position to move backwards in
avio_skip, which in turn makes sm_size negative and thus size larger
than the size of the packet buffer, causing invalid writes in avio_read.

Also fix potential overflow of avio_tell(bc) + value_len.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
libavformat/nutdec.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.